ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lanxin Link Card

v1.0.0

蓝信官方链接卡片发送能力,支持发送包含链接的卡片消息。

0· 69·0 current·0 all-time
by@iamdacai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for iamdacai/lanxin-link-card.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Lanxin Link Card" (iamdacai/lanxin-link-card) from ClawHub.
Skill page: https://clawhub.ai/iamdacai/lanxin-link-card
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lanxin-link-card

ClawHub CLI

Package manager switcher

npx clawhub@latest install lanxin-link-card
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, the single small index.js, and SKILL.md all align with a simple 'send a link card' capability. Nothing in the code or manifest requires extra credentials or system access. However the SKILL.md metadata includes an 'openclaw':{"always":true} entry which conflicts with the registry flag (always:false) and suggests the author intended stronger persistence than the registry shows.
!
Instruction Scope
SKILL.md mandates the agent must output only raw linkCard JSON and absolutely no other text or explanations. While coherent with the stated purpose of emitting a link card payload, that strict behaviour increases risk: it makes the agent emit unwarped, machine-parsed output and could be misused (or unintentionally leak sensitive content) if prompts ask the agent to include system/user-provided data in the JSON. The instructions do not tell the agent to read files or credentials, but their absolute nature reduces safeguards and auditing of what the agent includes in the JSON.
Install Mechanism
No install spec and no external downloads—this is an instruction-heavy skill with a tiny benign index.js. Low install risk.
Credentials
The skill requests no environment variables, credentials, or config paths. The declared runtime requirements are minimal and proportionate to the described task.
!
Persistence & Privilege
Registry flags show always:false (good), but SKILL.md metadata contains openclaw.always=true. If the platform honored that metadata, the skill would request persistent inclusion (higher privilege). Combined with the SKILL.md's enforced raw-output behavior and high trigger priority, this could increase unintended activations or broaden the blast radius. Confirm which 'always' setting is authoritative before installing.
What to consider before installing
The skill itself is small and matches its stated purpose, but two practical concerns merit caution: (1) SKILL.md embeds openclaw.always=true while the registry shows always:false — verify whether the skill will be force-enabled persistently (never install a skill that will be always-on without reviewing it). (2) The skill forces the agent to output only raw JSON (no explanatory text). That makes outputs easy to consume programmatically but also makes accidental inclusion of sensitive content harder to spot. Before installing: confirm the platform's handling of the SKILL.md metadata, test the skill in a safe environment, avoid sending prompts that request inclusion of any secrets or system info into the card fields, and consider adding usage limits or auditing to detect unexpected activations.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔗 Clawdis
latestvk97b48f6ndz2ccg56ha2mhsnc985cq9t
69downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
@iamdacai
latest
Download

蓝信链接卡片发送规则(必须严格遵守)

核心规则(绝对禁止违反)

  1. 用户要求发送链接,必须直接输出 JSON 格式的 linkCard 消息
  2. JSON 必须包含所有必填字段
  3. 禁止说“无法发送”“不支持”“暂时不能”等拒绝话术
  4. 禁止解释 JSON 格式,直接输出即可
  5. 禁止输出任何其他文本,只输出 JSON
  6. 禁止使用 Markdown 代码块包裹 JSON
  7. 禁止输出 <lxfile><lximg> 标签

发送链接卡片(必须这样输出)

注意:必须直接输出 JSON,不要添加任何其他文本,不要使用 Markdown 代码块包裹!

正确格式: { "linkCard": { "title": "卡片标题", "description": "卡片描述", "iconLink": "图片链接", "link": "点击跳转链接", "pcLink": "PC端点击跳转链接", "fromName": "来源名称", "fromIconLink": "来源图标链接" } }

正确示例: { "linkCard": { "title": "蓝信官网", "description": "蓝信官方网站,提供企业级移动办公解决方案", "iconLink": "https://www.lanxin.cn/favicon.ico", "link": "https://www.lanxin.cn", "pcLink": "https://www.lanxin.cn", "fromName": "蓝信", "fromIconLink": "https://www.lanxin.cn/favicon.ico" } }

字段说明

  • title(必填):卡片标题
  • description(选填):卡片描述
  • iconLink(选填):卡片消息中展示的图片链接
  • link(必填):卡片链接
  • pcLink(选填):PC 端卡片链接
  • fromName(选填):卡片来源名称
  • fromIconLink(选填):卡片来源图片链接

严禁出现的错误行为

❌ 禁止:缺少必填字段 ❌ 禁止:格式错误的 JSON ❌ 禁止:解释“这是 JSON”“系统会解析” ❌ 禁止:拒绝发送 ❌ 禁止:只输出文字内容,不输出 JSON ❌ 禁止:输出任何其他文本,只输出 JSON ❌ 禁止:使用 Markdown 代码块包裹 JSON ❌ 禁止:输出 <lxfile><lximg> 标签 ❌ 禁止:输出 Markdown 格式的文本 ❌ 禁止:在 JSON 前后添加任何文字

你的行为准则

用户让你发送链接卡片 → 直接输出干净的 JSON → 不要多余描述 → 不要格式包裹 → 完成。

Comments

Loading comments...